TUCoPS :: Linux :: General :: esa2-003.txt

kernel / lids-base - There are several local vulnerabilities in the LIDS system. - ESA-20020114-003


+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory                January 14, 2002 |
|  http://www.engardelinux.org/ ESA-20020114-003 |
|                                                                        |
| Packages: kernel / lids-base                                           |
| Summary:  There are several local vulnerabilities in the LIDS system.  |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.


OVERVIEW
--------
  Recently there were several local vulnerabilities discovered in the LIDS
  system used by EnGarde Secure Linux which could allow an attacker to
  gain root, and even disable LIDS completely.


DETAIL
------
  Stealth of TESO recently discovered several vulnerabilities in the LIDS
  (Linux Intrusion Detection System).  The following is an outline of
  these bugs:

    1) Using the LD_PRELOAD environment variable (and potentially other
       LD_ variables), an attacker can make programs granted specific
       capabilities "leak" them to unprivileged processes.  For example,
       if there is a program granted CAP_SETUID then an attacker can gain
       root.

    2) An attacker, who has already gained root, could write directly to
       the LIDS data structures in kernel memory (using /dev/kem) and
       effectively disable LIDS.

    3) Philippe Biondi of the LIDS team also discovered that programs
       launched before LIDS is sealed keep full capabilities after the
       sealing takes place.  This allows a window of opportunity for an
       attacker to leverage the CAP_SYS_RAWIO or CAP_SYS_MODULE
       capabilities.

  All known LIDS bugs are fixed with this release.  In addition to new
  kernel packages, there are new 'lids-base' packages with an updated LIDS
  configuration to accommodate the kernel changes.  All users are
  recommended to upgrade immediately, following the special SOLUTION
  outlined in this advisory.


SOLUTION
--------
  This information applies only to EnGarde Secure Linux Community edition
  users. Registered users of the EnGarde Secure Linux Professional
  edition can use the Guardian Digital Secure Network to upgrade their
  packages automatically.

  All users should upgrade to the most recent version as outlined in
  this advisory.  All updates may be found at:

     ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.engardelinux.org/pub/engarde/stable/updates/

Please read and understand this entire section before you attempt to
  upgrade the kernel.

  Initial Steps
  -------------
    1) Verify the machine is either:

       a) booted into a "standard" kernel; or
       b) LIDS is disabled (/sbin/lidsadm -S -- -LIDS_GLOBAL)

    2) Determine which kernels you currently have installed:

         # rpm -qa --qf "%{NAME}.%{ARCH}\n" | grep kernel

    3) Download the new kernels that match what you have installed
       (based on step 2) from the "UPDATED PACKAGES" section of this
       advisory.

  Installation Steps
  ------------------
    4) Install the new kernel and lids-base packages.  Because of version
       dependencies, you MUST install both the updated kernel packages and
       the new lids-base package at the same time.  The kernel packages
       will automagically update /etc/lilo.conf by commenting out any old
       EnGarde images and replacing them with the new ones:

         # rpm --replacefiles -i ... 

5) The new lids-base package will automatically update your LIDS
       configuration to work with the new kernels.  You must now re-run
       LILO by hand.  If you see any errors then open /etc/lilo.conf in
       your favorite text editor and make the appropriate changes:

         # /sbin/lilo

  Final Steps
  -----------
    6) If you did not see any LILO errors then your new kernel is now
       installed and your machine is ready to be rebooted:

         # reboot


UPDATED PACKAGES
----------------
  These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).

  Source Packages:

    SRPMS/kernel-2.2.19-1.0.24.src.rpm
      MD5 Sum: 18e6a28e9b97b70e4d47693a14d5bc5d

    SRPMS/lids-base-0.9.15-1.0.27.src.rpm
      MD5 Sum: 06e4e37f90072cc02ee57ef8bc342c16

  Binary Packages:

    i386/kernel-2.2.19-1.0.24.i386.rpm
      MD5 Sum: e81ed6ebea8cbbd48436dd4dca77f12b

    i386/kernel-lids-mods-2.2.19-1.0.24.i386.rpm
      MD5 Sum: 5d05f9f9bf4c18b50cb6d5bffde09218

    i386/kernel-smp-lids-mods-2.2.19-1.0.24.i386.rpm
      MD5 Sum: 8bece6223cd528772e12cfab1599625b

    i386/kernel-smp-mods-2.2.19-1.0.24.i386.rpm
      MD5 Sum: a609eae6b7505f2827ca13611dcfa5af


    i686/kernel-2.2.19-1.0.24.i686.rpm
      MD5 Sum: de36286c504b2593814ff61505afc4fc

    i686/kernel-lids-mods-2.2.19-1.0.24.i686.rpm
      MD5 Sum: b4c1232d4f77dfb7375d842659387116

    i686/kernel-smp-lids-mods-2.2.19-1.0.24.i686.rpm
      MD5 Sum: 4a719fcf119a553d11807c2d8a0c0b45

    i686/kernel-smp-mods-2.2.19-1.0.24.i686.rpm
      MD5 Sum: 7d3c6094a8c1ac1e8797c04b64ad746c


    i386/lids-base-0.9.15-1.0.26.i386.rpm
      MD5 Sum: 698cb992aa428eec3e38c220043792d7

    i686/lids-base-0.9.15-1.0.26.i686.rpm
      MD5 Sum: 337b68513574355c4c120b11b79b8726


REFERENCES
----------
  Guardian Digital's public key:
     http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

The LIDS Advisory Published by TESO:
     http://www.team-teso.org/advisories/teso-advisory-012.txt

Credit for the discovery of these bugs goes to:
    Stealth <stealth@team-teso.net>
Philippe Biondi <pbi@cartel-info.fr>

LIDS' Official Web Site:
     http://www.lids.org/

Security Contact:    security@guardiandigital.com
EnGarde Advisories:   http://www.engardelinux.org/advisories.html

--------------------------------------------------------------------------
$Id: ESA-20020114-003-lids,v 1.2 2002/01/14 21:36:46 rwm Exp $
--------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com>
Copyright 2002, Guardian Digital, Inc.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH